October 11, 2016 By Westley McDuffie 3 min read

Hacker Summer Camp 2016 has come and gone. I have the badges to prove it. (I also have an average daily mileage count of 13 and blisters to prove it.) Hacker Summer Camp is a good as it gets, with 20,000-plus of my closest computer security professional friends in the confines of a Las Vegas hotel. By no means is it cheap, but the security education benefits far outweigh the costs.

To be clear, these are not the only conferences around. Other cons may not get the same level of notoriety as Black Hat or DEF CON, but they are still valuable for a variety of reasons.

The Pros of Attending Cons

As a professional in the community, attending a conference is paramount. Employers certainly see the benefit of encouraging employees to attend conferences throughout the year. There is no con, so to speak, in attending a con.

Networking

The first and most important benefit of attending conferences is the opportunity to network. You can’t put a price tag on it — it’s all about relationships. While we as a practicing group (DEFENDER/BLUETEAM) don’t talk to each other enough, attackers do. I spoke at a small conference a few weeks ago and found out that loss prevention teams hold meetings to discuss the how, what and where of shoplifters’ activities. They also work with competitors and police to stop retail theft, including point-of-sale (POS) and ATM thefts.

I asked about the network security teams and found that they do not participate. It seems like a half-baked idea to share theft analytics but not IT-related issues regarding attacks and defense strategies. Sharing information and knowledge strengthens the community as a whole.

Security Education

Security education is the second benefit. Most security certifications require some kind of continuing education, and one conference can often cover the security education requirement for the year. Some presenters are actual instructors, while others are engineers or security practitioners. Nearly all have real-world experience in the security field, which is more valuable than dry information from a book.

Again, if we BLUETEAM folks were getting better at our jobs, attack surfaces would be getting smaller and the number of high-profile attacks and vulnerability disclosures would shrink proportionally. Unfortunately, that is not the case.

Community Outreach

Another benefit is community outreach. We are all professionals, though we may not always act like it. This community is built on mentorships, which often form at conferences and networking events. All conferences offer opportunities to be mentored or become a mentor — sometimes both. Smaller cons provide attendees a better chance to interact with speakers, while larger events offer opportunities to meet mentors from the within the crowd.

Conferences for All Budgets and Experience Levels

Despite the many benefits of attending security conferences, the costs can seem prohibitive. A ticket to Black Hat, for example, costs a few thousand dollars, while DEF CON is priced somewhere around $250. Combined with the costs of airfare, lodging, food and time missed from work, the bill adds up.

But Black Hat and DEF CON are not the only two games in town. BSides are amazing small-money conferences — some are even free or offer opportunities to volunteer in exchange for a ticket. Many are within a two-hour drive from major cities.

The RSA Conference is vendor-heavy, as is Black Hat. These conferences offer face time with the vendors of your choice. Sometimes you can even score face time with technical experts.

DerbyCon is the largest security conference in the Southern U.S. ToorCon and ShmooCon are also incredible conferences to attend, along with CanSecWest and SecTor. You could attend all the conferences mentioned above, but that would be ill-advised even for seasoned security professionals. Neither your wallet nor your liver could take it.

No matter the conference, and no matter its size, we were all con newbies once. You don’t need to be a cybersecurity expert to attend as long as you’re willing to learn. If you don’t know anybody, you are guaranteed to make new friends before you leave. All you have to do is say hello. DEF CON even has a 101 talk just for first-year attendees.

Giving Back

I volunteer. I give back. I am a red-shirt security goon at DEF CON. For me, it is a chance to work with the mentors who taught me throughout my career. and to interact with some of the brightest minds in the profession. It is also a chance for me to mentor those in attendance and fellow goons. Volunteering for a conference is a huge commitment, but it allows me to keep my focus our industry. It’s part of my professional development.

I also use it as a watermark for conducting job interviews. I want to see how serious you are about the cybersecurity community. It’s not a deal breaker if a candidate does not attend security conferences, but one who is plugged into that community certainly has a leg up. Plus, you can learn a lot about a person by which conferences he or she attends.

That’s a valuable lesson — and one that I learned at a security conference.

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today